Welcome back to security, governance and compliance, in today's lecture we're going to discuss the importance of legal and regulatory compliance. And some of the considerations that come into play and the complications that come into play as a result of legal frameworks attempting to catch up with security governance. So in our previous lecture we discussed cybersecurity governance as an integral part of an integral piece of the overall business governance strategy in a top down model. And remember, the idea is to narrow the scope of all of the various rabbit holes that come with the landscape of cybersecurity and all of the things that we could pursue in the name of cybersecurity. In order to stay in close alignment with the vision and the strategy, and the main thing of an organization. And alignment with an organization can happen in many ways, and this includes alignment with the culture of an organization. The risk tolerance of an organization, overall market and industry conditions that an organization faces. And possibly and maybe most importantly, the surrounding legal and regulatory landscape and requirements that an organization has to understand and deal with comply with and sometimes contend with. And there are many well known laws and regulations that are directly tied to the security and privacy of data for large industries. And some examples are the PCI DSS standard for payment card data, the GDPR, European Data Protection Standard for the privacy of individual data. The NERC-CIP standard for energy and critical infrastructure protections and HIPAA for protected health information. There are many more examples, but these are some of the more notable ones. And you may notice that each of these standards they correspond to distinct types of data, health information, privacy Information, payment card information and on. And each standard or regulation establishes a distinct framework for managing information security risk with regards to that type of information. And and the term framework is used everywhere, but there's an important distinction to remember and to understand between a governance framework and a control framework. At a high level a governance frameworks, our business process models that are going to include essential activities that are needed by most organizations. The business processes that are needed by most organizations and at their core Governance frameworks are focused on risk management. They want to identify risk in order to drive certain activities, and other processes in order to reduce the risk to an acceptable level. However, on the other hand, a control framework these are catalogs of security activities. Such as Implementing certain technologies, configurations, policies that can be tailored for specific security programs. So they're tightly inter intertwined, but there is a distinction between the two. And probably the best example and sort of the gold standard in the industry Is what's known as the NIST cybersecurity framework or the NIST CSF. And it's a perfect example of a relationship between governance frameworks and control frameworks. So here we see that the NIST CSF is broadly divided into five functions, and those functions are subdivided into various categories. And if we drill down on one of those categories, we can see that they're further broken down into sub-categories. Which ultimately map to specific controls all the way over on the right hand side on informative references. They map to specific controls, they're called out in control frameworks. So you can go between control frameworks and governance frameworks. But as you might imagine if you just open up a control framework, you'll get a list of things that you could do. But it won't necessarily have a lot of coherence or meaning or sequence behind how you might approach the program overall. And that's where the the governance framework sort of add sense to the various collection of things you could do in any given control framework. So when information and Information Systems fall under regulations or legal obligations Audits almost always tend to follow. And something to keep in mind is that, failed audits can result in fines, they can result in very large penalties. But on the flip side, a lot of times, sustained audit performance, a track record of good audit performance can act as a business differentiator, a reputation booster, sometimes the basis for advertising. It can it can add quite a bit of differentiation it's it's really sort of a binary operation. A bad audit performance can be very bad and sustained audit performance can really differentiate you from the competition. And so we've discussed the idea that cybersecurity emerges from the gaps that are open by the pace of technological change, and the ability or inability to effectively manage that change. And many legal and regulatory requirements or were created in response to cyber security or privacy issues, they're very reactive in that way. However, the legal and regulatory process is very slow, and as a result the gap between technological change the pace of that change and the resulting regulatory change that reacts to it is very large. And this is lead to a very common phrase, and it basically says, compliance is not security, compliance does not equals security. And so, as a result, after a while, you can start to satisfy compliance requirements without necessarily making an organization more securely. Very narrowly focused, maybe just a specific kind of data, not necessarily on the overall security program for an organization. It can almost become its own discipline, its own particular thing that needs to be monitored and upheld and managed. Because the downside risk of having poor audits or miss handling data is so large that becomes the end in and of itself. And so there's a constant tension between balancing compliance with maintaining good security. And when an organization is subject to multiple standards, the process of identifying what all those standards are. Understanding them and what their obligations are, as well as understanding the overlap between those standards can be a monumental undertaking. And the influence of these overlapping and constantly changing and sometimes convoluted standards. Can influence organizations' decisions to undertake major technological changes that might bring about new requirements or audits. It can also effect an organization's decision to even enter or exit certain markets and partnerships, contracts and things like this. So at the same time where we are trying to formalize and sometimes codify good security, usually in reaction to something bad happening. If it's allowed to persist and and go unchecked then it can actually start to become burdensome in such a way that it starts to lose its value that it was originally designed to promote.